On Fri, 22 May 2020 at 13:40, Paul Wouters <[email protected]> wrote: > > On Fri, 22 May 2020, Andrew Cagney wrote: > > > Here's the next subtle issue. From netkey-passthrough-03: > > > > conn west-east-passthrough-a > > also=west-east > > leftprotoport=tcp/0 > > rightprotoport=tcp/222 > > type=passthrough > > authby=never > > > > First: > > > > tcp/0 is interpreted as: > > prot=tcp > > port=0 > > wild=false > > and creates a permanent connection (but with seemingly wild ports - > > 0-65535). > > > > This is subtly different to tcp/%any which is interpreted as: > > proto=tcp > > port=0 > > wild=true > > and creates a template connection > > > > Is this the intent? > > It's complicated..... > > The wildcard setting is meant for those connection configurations that > could lead to more than one connection, and thus should be a template > requiring instantiation. So if the 0 means "could become X in one > connection and Y in another connection" then it should become a > wildcard. > > So tcp/0 could mean multiple TCP connections to different ports, or > it could mean one TCP connection to all ports. So tcp/%any should > be a wildcard (port 0-65535) where tcp/0 in theory should mean only port 0. > But I think people use both to mean the first :/ > > This does not make much sense ofcourse for TCP. But since this also > maps subtypes, and subtypes might start at 0, someone could in > theory do something like protoport=1/0 to only allow ICMP(1) with > Echo Reply (0) > > Since it is relatively harmless to instantiate, it's probably better > to over-interpret as wildcard.
... and that's what I tried. It broke netkey-passthrough-03. Because tcp/0 was a "wildcard", the connection was flagged as a template, and the routing code refused to route it. Look for "based upon policy, the connection is a template" https://testing.libreswan.org/v3.30-746-gb530392039-master/netkey-passthrough-03/OUTPUT/west.pluto.log.gz So I've put things back to the way they were :-/ > > Second, this hits ikev2_ts.c: > > > > - the TS code flip-flops between using: > > if (e->port == 0 || e->has_port_wildcard) { > > and just: > > int end_high = end->port == 0 ? 65535 : end->port; > > to decide if the port is really a negotiable range > > > > The problem I see is with permanent connections (i.e., tcp/0). The > > negotiated port is scribbled all over the connection's .port so the > > magic value 0 is lost - a re-connect will be forced to use the > > previous port value (but again perhaps that is the intent). > > Yeah. Possibly, we should just add some more logic here. If the protocol > is udp or tcp, interpret as ports, if icmp, interpret 0 as subtype. But > what to do for unknown protocol numbers? If protoport accepts lo-hi then we don't care - just stuff the raw port values into the relevant fields. > Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
